From Fedora Project Wiki
No edit summary
m (Add trackers)
 
(22 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


= Change BIND 9.18 =
= BIND 9.18 =


== Summary ==
== Summary ==
Line 20: Line 20:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF37]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 38: Line 38:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/QCTN7NBN3WFOKNI4VQGAZWI7DBJEJZUC/ devel thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2840 #2840]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2114330 #2114330]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/869 #869]


== Detailed Description ==
== Detailed Description ==
Line 92: Line 93:
* Proposal owners:
* Proposal owners:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
The update required update of bind-dyndb-ldap package (part of Freeipa suite), but otherwise it is isolated change.
* The update required update of bind-dyndb-ldap package (part of Freeipa suite), but otherwise it is isolated change.


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
Any developers
Any developers
* Change pull request: [https://src.fedoraproject.org/rpms/bind/pull-request/13 bind PR#13]


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 116: Line 119:
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


Upgrade should be smooth from 9.16.x, without significant issues. Incompatibility existed with bind-dyndb-ldap, but that were resolved.
=== PKCS11 removal ===
Native PKCS11 builds in separate '''bind-pkcs11''' package and '''bind-pkcs11-utils''' will be not longer built. It used to read directly pkcs11 plugins, but it will be supported only indirectly using OpenSSL pkcs11 engine.
Following commands would be removed:
* pkcs11-keygen
* pkcs11-destroy
* pkcs11-list
* pkcs11-tokens
All their actions should be possible using ''pkcs11-tool'' from ''opensc'' package or ''p11tool'' from ''gnutls-utils'' package.
* dnssec-*-pkcs11 commands would be removed too, but they have simple replacement using ''-E pkcs11'' parameter to their respective normal dnssec-* tool.
=== Python isc module ===
The utilities ''dnssec-checkds'', ''dnssec-coverage'', and ''dnssec-keymgr'' have been removed from '''bind-dnssec-utils''' package. Also '''python3-bind''' python module is no longer supported by ISC upstream and therefore removed from a bind package. DNSSEC features formerly provided by these utilities are now integrated into named. See the [https://bind9.readthedocs.io/en/v9_18_4/reference.html#dnssec-policy-grammar dnssec-policy configuration option] for more details.
=== Map file format ===
Support for the ''map'' zone file format (''masterfile-format map;'') has been removed. Use ''raw'' format instead, which has similar performance and less issues. Use ''named-compilezone -f map -F raw'' tool to convert the zone to ''raw'' format '''before''' the upgrade.
=== Removed options ===
Previously deprecated options were removed and are no longer accepted in ''/etc/named.conf''. Their full list can be found on [https://bind9.readthedocs.io/en/v9_18_4/notes.html#removed-features removed features] release notes in Upstream.


== How To Test ==
== How To Test ==
Line 146: Line 177:
  - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
  - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
-->
-->
* Users will get simple tools to query also encrypted DNS servers.
* Recent improvements packaged.
* Simplified DNSSEC maintenance of both keys and signatures via ''dnssec-policy''


== Dependencies ==
== Dependencies ==
Line 152: Line 187:
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


bind-dyndb-ldap would be built together with bind package. It were upgraded to version 11.10 to support BIND 9.18 release.


== Contingency Plan ==
== Contingency Plan ==
Line 165: Line 201:
== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
- Upstream [release notes](https://bind9.readthedocs.io/en/v9_18_4/notes.html#notes-for-bind-9-18-0)
- Upstream [https://bind9.readthedocs.io/en/v9_18_4/notes.html#notes-for-bind-9-18-0 release notes]


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)  
N/A (not a System Wide Change)


== Release Notes ==
== Release Notes ==

Latest revision as of 16:37, 2 August 2022


BIND 9.18

Summary

Owner


Current status

Detailed Description

ISC BIND9 will be upgraded to new major release version 9.18.x. It introduces new features and changes. It will also remove some packages provided before.

Feedback

Benefit to Fedora

The most recent major release will be provided, with some notable features:

  • Support to DNS over TLS and DNS over HTTPS servers. Both authoritative and resolver modes.
  • Reworked internal connection handling using libuv
  • RNDC channel does not support unix sockets [1]
  • Zone transfers over DNS over TLS were added, both incoming and outgoing.
  • dig is now able to send queries using DNS over TLS
  • dig is now able to send queries using DNS over HTTPS


Scope

  • Proposal owners:
  • The update required update of bind-dyndb-ldap package (part of Freeipa suite), but otherwise it is isolated change.
  • Other developers:

Any developers

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

Upgrade should be smooth from 9.16.x, without significant issues. Incompatibility existed with bind-dyndb-ldap, but that were resolved.

PKCS11 removal

Native PKCS11 builds in separate bind-pkcs11 package and bind-pkcs11-utils will be not longer built. It used to read directly pkcs11 plugins, but it will be supported only indirectly using OpenSSL pkcs11 engine.

Following commands would be removed:

  • pkcs11-keygen
  • pkcs11-destroy
  • pkcs11-list
  • pkcs11-tokens

All their actions should be possible using pkcs11-tool from opensc package or p11tool from gnutls-utils package.

  • dnssec-*-pkcs11 commands would be removed too, but they have simple replacement using -E pkcs11 parameter to their respective normal dnssec-* tool.

Python isc module

The utilities dnssec-checkds, dnssec-coverage, and dnssec-keymgr have been removed from bind-dnssec-utils package. Also python3-bind python module is no longer supported by ISC upstream and therefore removed from a bind package. DNSSEC features formerly provided by these utilities are now integrated into named. See the dnssec-policy configuration option for more details.

Map file format

Support for the map zone file format (masterfile-format map;) has been removed. Use raw format instead, which has similar performance and less issues. Use named-compilezone -f map -F raw tool to convert the zone to raw format before the upgrade.

Removed options

Previously deprecated options were removed and are no longer accepted in /etc/named.conf. Their full list can be found on removed features release notes in Upstream.

How To Test

User Experience

  • Users will get simple tools to query also encrypted DNS servers.
  • Recent improvements packaged.
  • Simplified DNSSEC maintenance of both keys and signatures via dnssec-policy

Dependencies

bind-dyndb-ldap would be built together with bind package. It were upgraded to version 11.10 to support BIND 9.18 release.

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

- Upstream release notes

N/A (not a System Wide Change)

Release Notes